Date: Wed, 24 Jun 1998 20:49:19 -0700 From: David Greenman <dg@root.com> To: security@FreeBSD.ORG Subject: Re: bsd securelevel patch question Message-ID: <199806250349.UAA08929@implode.root.com> In-Reply-To: Your message of "Wed, 24 Jun 1998 15:37:28 PDT." <199806242237.PAA19784@kithrup.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>I think David was talking about using traditional ACL's on files. He wasn't >terribly clear, however; he also could have meant something like /dev/io >(which, when you open it, allows you to execute in/out instructions). > >I have asked him what kind of priv's he's talking about in general; there are >some rather obvious ones (PRIV_CHUID, PRIV_IO, etc.), but I suspect he has >more in mind. I can imagine that the list could be on the order of 32 large. This is one of the reasons why I don't think that a gid based scheme scales very well. You'd have to do a search through the fairly large group set each time you wanted to check for the capability. Even if we did implement the gid method externally, I still think that the kernel internal representation would be best handled by a privilege mask. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806250349.UAA08929>